A director of an international bank took concerns about cyber crime into his own hands recently, hiring a specialized team to covertly breach his own company’s network.

The attackers used a so-called “spear phishing” technique, baiting the bank’s employees to open an email that appeared to come from someone they knew. If they did — and clicked on the attachment — their computers were infected with malicious software, which then spread to other computers in the network. Once they were in, the expert hackers revealed themselves to the bank’s management, who they then graded on their ability to track down the infiltrators and thwart unauthorized money transfers.

“Once we … gave them hints, it took more time than it should have to find us,” says Robert Masse, a partner at Deloitte in Montreal who runs the consultant’s Canadian incident response practice, which runs such infiltration exercises for financial companies around the world.

Masse, who agreed to discuss only non-Canadian cases because he didn’t want to risk disclosing information that could identify a client in the small domestic market, said he was not surprised the international bank was not up to snuff.

“Unless you have gone through this exercise before, almost everyone is in the same boat.”

For the Canadian financial industry, the stakes in the cyber-security game are enormous. Bay Street banks and wealth management firms have access some of the most sensitive data in the country, and access to millions of dollars in savings and investments, which makes them a natural target for hackers.

“The closer you get to the money, the more of a target you are to cyber criminals,” says David Mohajer, chief executive of cyber security firm Xahive.